CVE-2025-32969: org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API

April 23, 2025 (updated April 30, 2025)

It is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when “Prevent unregistered users from viewing pages, regardless of the page rights” and “Prevent unregistered users from editing pages, regardless of the page rights” options are enabled.

Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries.

The vulnerability may be tested in a default installation of XWIki Standard Flavor, including using the official Docker containers.

An example query, which leads to SQL injection with MySQL/MariaDB backend is shown below:

References

Code Behaviors & Features

Detect and mitigate CVE-2025-32969 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →